Extracted

• • Target

    526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

  • Size

    6.2MB

  • MD5

    b66c3e5a02f4287c96e433fe130a2cc6

  • SHA1

    77955f00cee70fbb6990e4ac07aea4d1a9a8e167

  • SHA256

    526330a5801be45ad490a9057dab40dc70fee6e55258d77e049e98049b25001d

  • SHA512

    89335195b086d7d0c1ab137716535b77f218e4fd8f906ed5c1a0a01e7d62c87d7c17aa23805413d9f42babfa0371f04fa60a5f6a78e9b7bccab4e69bdd08e9ca

  • SSDEEP

    98304:cDiT1yf9FYIObKiHC2e9qecljV6XRbo7ktbJnfCBlSx2k8VrhMPS5zIP5/35:cwS5ODzD4XRbo7OblaBDrmq5EP5/35

  Score

  10^/10

  evasionbitrattrojan

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2